IT Security Whiz Says Best Defense Blends People, Tech Gear

KENSINGTON, Md. - Walk softly but carry a big firewall, and back up what's behind it. That's the word from Tim Kersnick, a self-employed IT security consultant who has spent the past several months working at Lafayette FCU in suburban Washington, D.C., but has a career in financial services IT security spanning decades and continents. Kersnick has seen a lot and feels strongly about financial institutions' need to protect their data and the people whose money and personal information they harbor. "When I started, I was 15 and the only kid in my town with a computer. Things have changed so much," he says. "Everything's connected and new threats pop up every hour, and banks and credit unions have a responsibility to society to make sure they do everything they can to be as secure as possible." Credit unions hold a special place for him, and with their special relationship with their consumer base, Kersnick has long been helping them keep that member-centric focus in the lobby while keeping the information lockbox secure behind the scenes. Kersnick's experience with credit unions extends back to 1997 when he put in one of the early WAN (wide-access networks) at Bayer FCU in Pittsburgh. From there he went on to do specialized security work, responsible for virtual private networks, encryption deployments and security assessments for a range of multinationals. Some of his most far-flung assignments included setting up WANs from Melbourne to Sydney in Australia and, for Barclays, from Singapore to Hong Kong. He also has connected such systems through the major international Internet traffic center in Ashburne, Va. Wanting to spend more time at home and with his family, Kersnick, who holds degrees in computer science and electrical and mechanical engineering, now has his own consultancy, Bluefish Systems (www.bluefishsystems.com), and does work for credit unions such as Lafayette, where he has gained a big fan in John Straub, the $300 million CU's vice president of information technology. Kersnick's company at the time was brought in to manage the installation of 20 DSL lines to connect an ATM network into a VPN, Straub said. An unusual router setup had been installed in the virtual private network and when Kersnick heard Straub complain that nobody but the original installers understood it, Kersnick jumped in. "Tim immediately telnetted into the router, took a look at the config, telnetted into a similar router, copied the config file and installed it on the sick router," Straub says. "He needed to alter a number of registry entries to get the required permissions, and the thing was up and running in a total of five minutes! "I was flabbergasted. At best I had expected the ATM machine to be down for a day while I searched for help from the provider of the router, which was no longer in business." Kersnick, wanting to spend more time around home with friends and family, formed Bluefish Systems and took on Lafayette FCU as his first client. Besides his intuitive ability to understand "UNIX, Windows, Active Directory, Cisco, TCP/IP, anything related to networking," Straub says, Kersnick became well known around the FCU for the figure he cut when he was hard at work. "He's a casual dresser and almost always worked slouched in a chair, feet up on another chair, with a huge laptop balanced on his lap," Straub says. "Even in this pose he looks serious and intense when he's in his zone, which he often is." Kersnick comes out of that zone to share his knowledge and has "become legendary in my shop of quite well-qualified technicians," Straub says. "He's always willing to share his secrets with my staff, and in fact, takes extra pains to do so." Kersnick, for his own part, says he appreciates the open atmosphere of credit unions compared with the banks he's served, an openness he said creates the need to perhaps be even more diligent about possible security lapses. It starts out in front. "Banks have these strict policies, always aimed at preserving everything from income to property," he says. "It's all right in your face, beginning with the bulletproof glass and PIN pads in the lobby. Heck, some want to charge you to talk to a teller. "Credit unions are more like a family. They have to be friendlier. But do you need a friendly security guard? Do you want a friendly firewall? Friendly and security are terms that don't mix well. So at a credit union, you have to do a little more to hide those sorts of measures, to keep them in the back office," the 21-year network security veteran says. "You have to keep the friendlies in front and the uglies in back," he says. Security is a mixture of technology, internal controls and training, Kersnick adds. Don't let staffers download programs like AOL onto their PCs. And don't let them use eBay at work, because it's a hotspot for malicious, intrusive stuff. Beware of popups and cookies and email attachments, all of which can be used by outsiders to quickly glean information about the credit union and its internal systems, and, perhaps a bit unfortunately, it's necessary to be aware of each other. "Knowing what is happening on your network and who has access to what is critically important, especially in smaller organizations like credit unions," Kersnick says. "Your security policy should include not giving all the keys to one person. IT people often have access to more pieces of information than they really need. For instance they have no need for the passwords to access the Fed. It's the same with wire transfers. And more than one person should have each of those keys, in case someone leaves, disgruntled or otherwise," he says. It also doesn't have to cost a fortune. For $500, Kersnick says, he can set up an intrusion detection system that helps mitigate risks, and it can be monitored externally for a monthly fee. Such systems also can be monitored in house by staffers, who if they keep with updates from CERN and other Internet security organizations and help make sure the organization uses best practices internally, can have pretty solid risk reduction measures in place, and "all it costs you is an old PC to monitor it," Kersnick says. "It cracks me up sometimes" he says. Credit unions, because of their open culture compared with banks, can be a bit slower to catch on to a lot of the realities of IT security these days, but cost and technical demands aren't the barriers they have been in the past, Kersnick says. "There's no reason for anyone not to be able to do it," he says. -